Mobile Malware Needs Different Security Approach, Say Researchers

The mobile security vendors getting the most attention among white hat hackers at Black Hat are innovating to address mobile threats in ways that are almost completely different from security software found on most desktops and laptop systems.

Antivirus software, which monitors file activity to detect malware strains, is far too intensive for tiny mobile devices, said Guy Stewart, vice president of engineering at FatSkunk, an early stage startup that has created a different way to protect mobile devices. While the computing power in most smartphones is growing exponentially every year, the battery on most mobile phones drains quickly, Stewart said.

Speaking to attendees at Black Hat 2013, Stewart, a security engineer, described FatSkunk's method, which involves monitoring the system cache of the device and taking measurements for subtle changes that could signal the presence of malware. The company's internally developed "microkernel" is installed on the device and constantly conducting an attestation process, verifying the integrity of the system and establishing a root of trust.

"We take the physical attributes of the device and one mechanism we use is the principle of displacement," Stewart said. "We look at how much cache we have and use that as our vessel to measure the volume and displacement caused by the presence of malware."

Throughout the two-day Black Hat briefings, security researchers shared ways to hack into Android devices, take over an iOS device in less than 60 seconds, or sniff and decrypt cellular traffic by hacking into microcell devices. Security researchers say the message is becoming increasingly clear: The ecosystem for mobile threats is very likely to be vastly different than that on desktops and mobile devices, necessitating a different defensive approach.

Gaining root access to the device is no longer necessarily needed, said Jeff Forristal, chief technology officer of Bluebox, a San Francisco-based mobile security startup that gained attention this month for discovering a serious certificate validation weakness in Android devices. System-level control is a way to gain access to the majority of the device, Forristal said. If successfully exploited, the master key vulnerability discovered by Bluebox enables an attacker to trick Google's validation process to turn legitimate apps into weaponized apps that could do serious damage.

The most dangerous mobile attacks have yet to be seen, say malware experts. On Thursday at Black Hat, Forristal demonstrated how he essentially built a Zip file tricking the verification process. The most dangerous attacks step beyond run-of-the-mill text messaging Trojans. They need a higher level of sophistication and a little blind luck as well, Forristal said.

"We used a combination of white box, black box, manual coding, a little trial and error and a little bit of luck as well to get this to work," Forristal told hundreds of Black Hat attendees. "It was an informed kind of debugging, trial-and-error session."

Apple devices were not immune to being hacked. In another Black Hat session, three researchers, Billy Lau, Yeongjin Jang and Chengyu Song, demonstrated a way to hack into Apple iPhones and iPads by exploiting several design weaknesses. The researchers used a power brick to carry out the attack. Once an iPhone or iPad is plugged into the power brick, the device is stealthily compromised.

The bulk of the mobile threats being detected are currently targeting Android devices but, over time, Apple devices could see increased threats if cybercriminals can make a business case for attacking the devices, said Richard Henderson, security strategist for Fortinet's FortiGuard Labs. Henderson said Fortinet has seen a 30 percent increase in mobile malware over the past six months.

"We're seeing a significant amount of malicious applications with adware and spyware capabilities," Henderson said. "Ransomware is also now turning to mobile devices."

Henderson said a variety of technologies eventually will come together to protect mobile devices. Fortinet has its own mobile device management solution. Other companies are emerging, using virtualization to address data protection, keeping corporate data from being stored on the device. The techniques and technologies are very likely to converge over time, Henderson said.

"The threat is very real and some of the best solutions we're seeing today are addressing security by protecting the data, not necessarily the device itself," he said.

Slide Shows

Doron Kempel says selling hyper-convergence can be challenging for solution providers, but success will come from taking business from competitors that are unprepared or hesitant to embrace the technology..